b'                                                                UNCLASSIFIED\n\n\n                                               United States Department of State\n\n                                            and the Broadcasting Board of Governors\n\n                                                   Office of Inspector General\n\nOffice of Inspector General\n\n\n                                                        Office of Audits\n\n\n\n                                  Evaluation of the Broadcasting Board of\n\n                                  Governors Information Security Program\n\n\n                                         Report Number AUD/IT/IB-12-15, November 2011\n\n\n\n\n                                                                Important Notice\n\n                               This report is intended solely for the official use of the Department of State or the\n                               Broadcasting Board of Governors, or any agency or organization receiving a copy\n                               directly from the Office of Inspector General. No secondary distribution may be\n                               made, in whole or in part, outside the Department of State or the Broadcasting Board\n                               of Governors, by them or by other agencies of organizations, without prior\n                               authorization by the Inspector General. Public availability of the document will be\n                               determined by the Inspector General under the U.S. Code, 5 U.S.C. \xc2\xa7 552. Improper\n                               disclosure of this report may result in criminal, civil, or administrative penalties.\n\n\n\n                                                               UNCLASSIFIED\n\n\x0c                                          UNCLASSIFIED\n                                                                United States Department of State\n                                                                and the Broadcasting Board of Governors\n\n                                                                Office of Inspector General\n\n\n                                              PREFACE\n\n        This report is being transmitted pursuant to the Inspector General Act of 1978, as\namended, and Section 209 of the Foreign Service Act of 1980, as amended. It is one ofa series\nof audit, inspection, investigative, and special reports prepared as part of the Office ofInspector\nGeneral\'s (OIG) responsibility to promote effective management, accountability, and positive\nchange in the Department of State and the Broadcasting Board of Governors.\n\n        In accordance with the Federal Information Security Management Act of 2002 (FISMA),\nOIG performed a review of the Broadcasting Board of Governors (BBG) Information Security\nProgram for FY 2011. To perform this review, OIG contracted with the independent public\naccountant Williams, Adley & Company, LLP. The contract required that the independent\npublic accountant perform its evaluation in accordance with guidance contained in the\nGovernment Auditing Standards, issued by the Comptroller General of the United States. The\npublic accountant\'s report is included. The report is based on interviews with employees and\nofficials of relevant agencies and institutions, direct observation, and a review of applicable\ndocuments.\n\n        The independent public accountant identified areas in which improvements could be\nmade, including system inventory, security configuration management, security awareness\ntraining, plans of action and milestones, remote access, user account management controls,\nvulnerability assessments, enterprise-wide and system-specific contingency plans, and incident\nresponse.\n\n        OIG evaluated the nature, extent, and timing of Williams, Adley & Company\'s work;\nmonitored progress throughout the evaluation; reviewed Williams, Adley & Company\'s\nsupporting documentation; evaluated key judgments; and performed other procedures as\nappropriate. OIG concurs with Williams, Adley & Company\'s findings, and the\nrecommendations contained in the report were developed on the basis of the best knowledge\navailable and were discussed in draft form with those individuals responsible for\nimplementation. ~IG\'s analysis of management\'s response to the recommendations has been\nincorporated into the report. OIG trusts that this report will result in more effecti.ve, efficient,\nand/or economical operations.\n\n        I express my appreciation to all of the individuals who contributed to the preparation of\nthis report.\n\n\n\n\n                                       Harold W. Geisel\n                                       Deputy Inspector General\n\n                                         UNCLASSIFIED\n\x0c~~!y~.            WILLIAMS\n~. ~,             ADLEY\n\n           Evaluation of Broadcasting Board of Governors Information Security Program\n\n\nNovember 7, 2011\n\n\nOffice ofInspector General\nU.S. Department of State\n2201 CSt., NW\nWashington, D.C. 20520\n\n\nWilliams, Adley & Company, LLP (referred to as "we" in this letter), is pleased to provide the\nOffice of Inspector General (OIG) the results of the evaluation of the Broadcasting Board of\nGovernors (BBG) Information Security Program for FY 2011 . We evaluated BBG\'s Information\nSecUlity Program performance in compliance with the Federal Information Security\nManagement Act, Office of Management and Budget (OMB), and National Institute of Standards\nand Technology regulations, standards, and requirements. Additionally, the evaluation was\nperformed to provide sufficient support for OIG in providing responses to OMB in accordance\nwith OMB Memorandum M-11-33, FY 2011 Reporting Instructions for the Federal Information\nSecurity Management Act and Agency Privacy Management, dated September 14, 2011.\n\nThis evaluation, performed under Contract No. SAQMMA10F2159, was designed to meet the\nobjectives identified in Appendix A, "Objectives, Scope, and Methodology," of the report. We\ncommunicated the results of our review and the related fmdings and recommendations to BBG\' s\nmanagement.\n\nWe appreciate the cooperation provided by BBG personnel during the evaluation. Should you\nhave               or if we can be of further assistance, please contact either\n(b) (6)\n\n\n\n\n                                    WILLIAMS, ADLEY & COMPANY-DC , LLP\n                              Certified Public Accountants / Management Consultants\n          1030 1S\'h Street, NW, Suite 300W \xe2\x80\xa2 Washington, DC 20005 \xe2\x80\xa2 (202) 371 -1397 \xe2\x80\xa2 Fax : (202) 371 -9161\n                                              www.williamsadley.com\n\x0c                                 UNCLASSIFIED\n\n\n\n\nAcronyms\n\nAD         Windows Active Directory\nBBG        Broadcasting Board of Governors\nCIO        Chief Information Officer\nDHS        Department of Homeland Security\nFIPS       Federal Information Processing Standards\nFISMA      Federal Information Security Management Act\nGAO        Government Accountability Office\nIT         information technology\nNIST       National Institute of Standards and Technology\nOCB        Office of Cuba Broadcasting\nOIG        Office of Inspector General\nOMB        Office of Management and Budget\nPOA&M      Plan of Action and Milestones\nPII        personally identifiable information\nSP         Special Publication\nUS-CERT    United States Computer Emergency Response Team\n\n\n\n\n                                 UNCLASSIFIED\n\n\x0c                                                 UNCLASSIFIED\n\n\n\n                                               Table of Contents \n\n\n\nEXECUTIVE SUMMARY ..............................................................................................1\n\xc2\xa0\nBACKGROUND ............................................................................................................4\n\xc2\xa0\nRESULTS OF REVIEW .................................................................................................5\n\xc2\xa0\nA.\t\xc2\xa0         BBG HAS NOT IMPLEMENTED A SYSTEM INVENTORY MANAGEMENT \n\n             PROCESS .....................................................................................................5\n\xc2\xa0\nB.\t\xc2\xa0         SECURITY STANDARDS AND PROCEDURES HAVE NOT BEEN \n\n             IMPLEMENTED AND ENFORCED .................................................................6\n\xc2\xa0\nC.\t\xc2\xa0         COMPLIANCE WITH BBG\xe2\x80\x99S SECURITY AWARENESS TRAINING\n\n             PROGRAM WAS NOT STRICTLY ENFORCED .............................................8\n\xc2\xa0\nD.\t\xc2\xa0         PLANS OF ACTION AND MILESTONES HAVE NOT BEEN COMPLETED .....9\n\xc2\xa0\nE.\t\xc2\xa0         REMOTE ACCESS TO THE BBG NETWORK WAS NOT PROPERLY \n\n             MANAGED AND CONTROLLED .................................................................10\n\xc2\xa0\nF.\t\xc2\xa0         USER ACCOUNT MANAGEMENT CONTROLS NEED IMPROVEMENT .......11\n\xc2\xa0\nG.\t\xc2\xa0         VULNERABILITY ASSESSMENTS WERE NOT PERFORMED ......................13\n\xc2\xa0\nH.\t\xc2\xa0         ENTERPRISE-WIDE AND SYSTEM-SPECIFIC CONTINGENCY PLANS DO \n\n             NOT EXIST ................................................................................................14\n\xc2\xa0\nI.\t\xc2\xa0         BBG\xe2\x80\x99S INCIDENT RESPONSE POLICY DOES NOT ADHERE TO UNITED \n\n             STATES COMPUTER EMERGENCY READINESS TEAM\xe2\x80\x99S REPORTING \n\n             REQUIREMENTS ........................................................................................15\n\xc2\xa0\nLIST OF CURRENT YEAR RECOMMENDATIONS ......................................................18\n\xc2\xa0\nAPPENDIX A. OBJECTIVES, SCOPE, AND METHODOLOGY .....................................20\n\xc2\xa0\nAPPENDIX B. FOLLOWUP OF RECOMMENDATIONS FROM THE FY 2010 FISMA\n\n       REPORT.....................................................................................................23\n\xc2\xa0\nAPPENDIX C. BROADCASTING BOARD OF GOVERNORS RESPONSE .......................26\n\xc2\xa0\n\n\n\n\n                                                 UNCLASSIFIED\n\n\x0c                                           UNCLASSIFIED\n\n\n                                         Executive Summary\n\n        In accordance with the Federal Information Security Management Act of 2002 (FISMA),1\nthe Office of Inspector General (OIG) contracted with Williams, Adley & Company, LLP\n(referred to as \xe2\x80\x9cwe\xe2\x80\x9d in this report), to perform an independent evaluation of the Broadcasting\nBoard of Governors (BBG) information security program\xe2\x80\x99s compliance with Federal laws,\nregulations, and standards established by FISMA, the Office of Management and Budget\n(OMB), and the National Institute of Standards and Technology (NIST). Additionally, the\nresults are designed to assist OIG in providing responses to OMB Memorandum M-11-33, FY\n2011 Reporting Instructions for the Federal Information Security Management Act and Agency\nPrivacy Management, dated September 14, 2011.\n\n       We reviewed BBG\xe2\x80\x99s remedial actions taken to address the FY 2010 reported Information\nSecurity Program control weaknesses identified in OIG\xe2\x80\x99s FY 2010 report Review of the\nBroadcasting Board of Governors Information Security Program (AUD/IT/IB-11-08, November\n2010). The statuses of the FY 2010 review recommendations are in Appendix B. Since FY\n2010, BBG has taken the following steps to improve management controls:\n\n      \xef\x82\xb7    Completed security tests and evaluations and developed risk assessments and system\n           security plans for its major systems. \n\n      \xef\x82\xb7    Implemented a more robust security incident response tracking process. \n\n      \xef\x82\xb7    Developed password management policies and procedures to reduce to the risk of \n\n           unauthorized access.\n\n        Overall, we found that BBG had continued its efforts to further develop its information\nsecurity program. However, to improve the information security program and to bring the\nprogram into compliance with FISMA, OMB, and NIST requirements, BBG needs to address the\nfollowing control weaknesses:\n\n           A. System Inventory\n\n                BBG did not complete a system inventory of information technology (IT) assets and\n                had not implemented a process to routinely update and manage its IT assets. Without\n                a process to properly identify, document, and maintain an inventory of major and\n                minor applications, as well as general support systems, BBG may not have an\n                accurate accounting of its IT assets, the related system interfaces, and underlying\n                support systems.\n\n           B. Security Configuration Management\n\n                BBG did not complete the development and implementation of its security\n                configuration management standards and procedures for its IT environment.\n                Furthermore, BBG\xe2\x80\x99s standard operating procedures and information security\n                practices were not enforced at the Office of Cuba Broadcasting (OCB). As a result,\n\n1   Public Law No. 107-347, Title III.\n\n                                                   1\n                                           UNCLASSIFIED\n\x0c                               UNCLASSIFIED\n\n\n    BBG did not maintain control over OCB systems connected to its network. \n\n    Additionally, OCB did not complete a security authorization process. \n\n\n    Without detailed procedures and guidance that govern the performance of routine and\n    critical configuration management processes, BBG may not be able to effectively\n    secure its systems, which may lead to the introduction of security weaknesses and\n    inconsistent performance. Additionally, BBG cannot be assured that security\n    controls are properly managed and maintained for all systems that access the BBG\n    network.\n\nC. Security Awareness Training\n\n    BBG did not sanction employees and contractors who did not complete the annual\n    security awareness training course. Although users were informed of the possibility\n    of enforcement actions for not completing the course, no such actions were\n    implemented. Additionally, contract personnel were not consistently required to\n    complete BBG\xe2\x80\x99s security awareness training prior to, or shortly after, being granted\n    access to BBG\xe2\x80\x99s network.\n\n    Without the completion of initial and annual security awareness training, personnel\n    may be unaware of new risks that may compromise the confidentiality, integrity, and\n    availability of information. As a result, personnel may be unable to recognize and\n    respond appropriately to real and potential security threats.\n\nD. Plans of Action and Milestones\n\n    BBG\xe2\x80\x99s Plans of Action and Milestones (POA&M) have not been implemented fully\n    to track all identified weaknesses pertaining to BBG\xe2\x80\x99s major applications and general\n    support systems. Furthermore, the POA&Ms did not provide sufficient details of the\n    security weaknesses, planned actions, prioritizations of security weaknesses,\n    resources required to address security weaknesses, and changes to milestones for\n    actions completed.\n\n    Without periodic updates and reviews of the POA&Ms, BBG IT management may be\n    unaware of the status of corrective actions. As a result, delays in the implementation\n    of corrective actions may prevent security issues from being resolved in a timely\n    manner. Additionally, IT management may be unable to properly assess and\n    prioritize the resources that are required to implement corrective actions.\n\nE. Remote Access\n\n    BBG\xe2\x80\x99s remote access policy allowed users to access the BBG network from personal\n    computers using software provided by BBG. However, BBG did not have\n    procedures in place to ensure that proper safeguards were implemented on non-BBG\n    computers that were authorized to access the BBG network remotely.\n\n\n\n                                        2\n                               UNCLASSIFIED\n\x0c                                             UNCLASSIFIED\n\n\n             Without proper policies and procedures that require the use of properly secured\n             devices, BBG may be unable to ensure the security of its data and network when\n             allowing access to authorized third-party devices. As a result, the risks of\n             introducing viruses, worms, and other malicious code increase significantly.\n\n        F.\t User Account Management Controls\n\n             Although BBG has implemented new user account management controls in FY 2011,\n             such as user verification controls for password resets that required users to present\n             photo identification in person prior to obtaining new passwords, the following\n             account management control deficiencies continued in FY 2011:\n\n                 \xef\x82\xb7\t Guest, test, and shared user accounts that, when used, do not allow for\n                    individual accountability.\n                 \xef\x82\xb7\t Five of 94 employees who separated from BBG in FY 2011 between October\n                    1, 2010, and June 8, 2011, retained \xe2\x80\x9cactive\xe2\x80\x9d Windows Active Directory2 (AD)\n                    user accounts as of June 14, 2011.\n                 \xef\x82\xb7\t One hundred nineteen active user accounts in AD have never been used, and\n                    27 of the 119 user accounts were created before 2009.\n                 \xef\x82\xb7\t Seventy-six active user accounts in AD have not been used for over 90 days,\n                    and 24 of the 76 active user accounts have not been used since 2009 or before\n                    that year.\n                 \xef\x82\xb7\t An individual requested and was provided a new password via a telephone\n                    call.\n\n             Without more stringent user account management controls, the risk of unauthorized\n             use of user accounts and thus unauthorized access to systems increase significantly.\n             Unauthorized access to systems may result in the submission of false transactions,\n             improper access to and dissemination of confidential data, and other malicious\n             activities.\n\n        G. Vulnerability Assessments\n\n             BBG did not perform routine vulnerability assessments of its major systems and\n             network environment using the framework outlined in NIST Special Publication (SP)\n             800-53A,3 Guide for Assessing the Security Controls in Federal Information Systems.\n             Although BBG performed ad hoc scans of its systems and the general support\n             system, BBG has not expanded the process to include the periodic re-performance of\n             vulnerability assessments for all major systems or the routine performance of such\n             scans on its enterprise network. Without periodic reviews or the performance of risk-\n             based vulnerability assessments, new threats and vulnerabilities may not be identified\n             and mitigated in a timely manner.\n\n2 Active Directory (AD), a technology created by Microsoft, provides a variety of network services such as \n\nidentification and authentication, directory access, and other network services.\n\n3 NIST SP 800-53A, Guide for Assessing Security Controls in Federal Information Systems, Building Effective \n\nSecurity Assessment Plans, July 2008.\n\n\n                                                        3\n                                             UNCLASSIFIED\n\x0c                                            UNCLASSIFIED\n\n\n\n        H. Enterprise-Wide and System-Specific Contingency Plans\n\n             BBG did not develop and implement contingency planning and testing policies and\n             procedures compliant with OMB and NIST requirements contained in NIST SP 800-\n             34, Revision 1,4 Contingency Planning Guide for Federal Information Systems.\n             Specifically, BBG did not complete its enterprise-wide and system-specific\n             contingency plans or conduct contingency tests. Without an effective contingency\n             plan, which includes periodic testing of the plan\xe2\x80\x99s reliability, BBG may be unable to\n             access critical information and resources and perform mission-critical business\n             functions in the event of an extended outage and/or a disaster.\n\n        I. Incident Response\n\n             BBG\xe2\x80\x99s Computer Security Incident Management Policy does not comply fully with\n             the requirements established by the United States Computer Emergency Readiness\n             Team (US-CERT) at the Department of Homeland Security (DHS). BBG\xe2\x80\x99s policy\n             requires category one (CAT 1) incidents to be reported to US-CERT within 2 hours\n             of detection, but US-CERT stipulates that CAT 1 incidents be reported within 1 hour\n             of discovery/detection. Further, BBG\xe2\x80\x99s policy does not include reporting\n             requirements for incidents of compromised personally identifiable information (PII).\n             The US-CERT reporting timeframe for incidents that involve compromised PII is\n             within 1 hour of detection regardless of the incident\xe2\x80\x99s category reporting timeframe.\n             Without an effective incident response capability, BBG may not detect security\n             incidents, minimize loss and destruction, mitigate the weaknesses that were\n             exploited, and restore computing services in a timely manner.\n\n        Although this report contains 12 recommendations, we believe the most significant\nsecurity deficiencies relate to security configuration management (Finding B), POA&M (Finding\nD), vulnerability assessments (Finding G), contingency plans (Finding H), and incident response\n(Finding I).\n\n       We provided the draft report to BBG officials on October 27, 2011. In BBG\xe2\x80\x99s\nNovember 2, 2011, response (see Appendix C) to this report, BBG concurred with the 12\nrecommendations. Based on the response, OIG considers all 12 recommendations resolved,\npending further action.\n\n      BBG\xe2\x80\x99s responses to the recommendations and OIG\xe2\x80\x99s analyses are presented after each\nrecommendation.\n\n                                              Background\n\n        FISMA recognizes the importance of information security to the economic and national\nsecurity interests of the United States and requires each Federal agency to develop, document,\nand implement an agency-wide program to provide information security for the information\n\n4 NIST SP 800-34, rev.1, Contingency Planning Guide for Federal Information Systems, May 2010.\n\n                                                      4\n                                            UNCLASSIFIED\n\x0c                                          UNCLASSIFIED\n\n\n\nsystems that support the operations and assets of the agency, including those provided or\nmanaged by another agency or contractor or another source. FISMA provides a comprehensive\nframework for establishing and ensuring the effectiveness of management, operational, and\ntechnical controls over IT that supports Federal operations and assets, and it provides a\nmechanism for improved oversight of Federal agency information security programs.\n\n       To strengthen information system security, FISMA assigns specific responsibilities to\nDHS, NIST, OMB, and other Federal agencies. In particular, FISMA requires the head of each\nagency to implement policies and procedures to cost effectively reduce IT security risks to an\nacceptable level. To ensure the adequacy and effectiveness of information system controls,\nFISMA requires agency program officials, chief information officers, senior agency officials for\nprivacy, and inspectors general to conduct annual reviews of the agency\xe2\x80\x99s information security\nprogram and report the results to DHS.\n\n        On an annual basis, OMB provides guidance with reporting categories and questions to\nmeet the current year\xe2\x80\x99s reporting requirements.5 OMB uses responses to its questions to assist in\nits oversight responsibilities and to prepare its annual report to Congress on agency compliance\nwith FISMA.\n\n                                        Results of Review\n        Overall, we found that BBG made progress in FY 2011 toward developing its information\nsecurity program, but challenges remain. BBG needs to address several control weaknesses as\ndescribed to bring the information security program into compliance with FISMA, OMB, and\nNIST requirements.\n\nA. BBG Has Not Implemented a System Inventory Management Process\n      The FY 2010 Review of the Information Security Program at the Broadcasting Board of\nGovernors concluded that BBG did not complete its system inventory of IT assets.\n\n        BBG has not implemented a process or procedures to routinely update and manage its IT\nassets. During the fourth quarter of FY 2010, an IT director was hired to develop the system\ninventory management process. A system inventory management tool was selected and the\nrequired purchase order was submitted. However, the procurement has not been finalized.\n\n        FISMA requires the head of each agency to develop and maintain an inventory of major\ninformation systems (including major national security systems) operated by or under the\nagency\xe2\x80\x99s control. Each agency must identify information systems in an inventory, including the\ninterfaces between each system and all other systems or networks, to include those not operated\nby or under the control of the agency. FISMA further requires that the inventory be updated at\nleast annually and be used to support information resources management. Additionally, NIST\n\n\n\n5OMB Memorandum M-11-33, FY 2011 Reporting Instructions for the Federal Information Security Management\nAct and Agency Privacy Management, Sept.14, 2011.\n\n                                                   5\n                                          UNCLASSIFIED\n\x0c                                            UNCLASSIFIED\n\n\n\nSP 800-53, Revision 3,6 Recommended Security Controls for Information Systems and\nOrganizations, requires the organization to develop, document, and maintain an inventory of\ninformation system components that accurately reflects the current information system, is\nconsistent with the authorization boundary of the information system, is at the level of\ngranularity deemed necessary for tracking and reporting, includes organization-defined\ninformation deemed necessary to achieve effective property accountability, and is available for\nreview and audit by designated organization officials.\n\n        Without a system inventory management process, BBG may not have an accurate\naccounting of its IT assets and the related system interfaces and underlying support systems and\nwill not be able to properly identify and mitigate security risks. As a result, critical management\nprocesses such as strategic planning, budgeting, system administration, and resource\nmanagement may be adversely affected.\n\n        Recommendation 1: We recommend that the Chief Information Officer ensure that the\n        selected system inventory management software tool is acquired and implemented and a\n        process is developed to update, not less than annually, the Broadcasting Board of\n        Governors (BBG) system inventory when changes are made to those information systems\n        operated by or under the control of BBG or by third-party contractors or agencies on\n        behalf of BBG, as required by National Institute of Standards and Technology Special\n        Publication 800-53, Revision 3.\n\n        Management Comments: BBG concurred with the recommendation, stating that it \xe2\x80\x9chas\n        acquired the inventory management software tool and is currently installing and\n        configuring the tool. The CIO will oversee testing of this tool and the development of a\n        process to update BBG\xe2\x80\x99s system inventory periodically.\xe2\x80\x9d\n\n        OIG Analysis: OIG considers the recommendation resolved. This recommendation can\n        be closed when OIG reviews and accepts documentation showing that BBG has\n        implemented a system inventory process.\n\nB. Security Standards and Procedures Have Not Been Implemented and\n   Enforced\n        The FY 2010 Review of the Information Security Program at the Broadcasting Board of\nGovernors concluded that BBG did not complete the development and implementation of its\nsecurity configuration and performance measurement standards and procedures for the IT\nenvironment. Further, BBG\xe2\x80\x99s standard operating procedures and information security policies\nwere not enforced at OCB. Therefore, BBG did not maintain control over OCB systems\nconnected to its network, and OCB managed its own servers that were connected to BBG\xe2\x80\x99s\nnetwork. Additionally, OCB did not complete the security authorization process.\n\n      BBG drafted several IT policies and procedures during FY 2011; however, BBG\xe2\x80\x99s IT\nmanagement stated that the additional IT policies and procedures had not been implemented\n6 NIST SP 800-53, rev.3, Recommended Security Controls for Information Systems and Organizations, Aug.2009\n(updated through Sept. 14, 2009).\n\n                                                     6\n                                            UNCLASSIFIED\n\x0c                                             UNCLASSIFIED\n\n\n\nbecause of resource limitations. Additionally, although BBG\xe2\x80\x99s IT department provides guidance\nto OCB regarding development and implementation of IT policies and procedures, it does not\nhave the authority to enforce compliance because OCB reports directly to the Broadcasting\nBoard of Governors.\n\n          In regard to security standards and procedures, NIST SP 800-53, Revision 3,7\nstates:\n\n          The organization develops, disseminates, and periodically reviews/updates: (a) a\n          formal, documented, configuration management policy that addresses purpose,\n          scope, roles, responsibilities, management commitment, coordination among\n          organizational entities, and compliance; and (b) formal, documented procedures\n          to facilitate the implementation of the configuration management policy and\n          associated configuration management controls.\n\n         Without detailed procedures and guidance that govern the performance of routine and\ncritical processes, BBG may not be able to effectively manage its IT program, which could\nintroduce security weaknesses and result in inconsistent performance. Additionally, BBG cannot\nbe assured that security controls are properly managed and maintained for all systems that access\nthe BBG network. As a result, systems may operate in the production environment without\nappropriate controls or management oversight.\n          Recommendation 2: We recommend that the Chief Information Officer complete the\n          development and implementation of security configuration procedures and periodically\n          assess compliance with the implemented procedures, as required by National Institute of\n          Standards and Technology Special Publication 800-53, Revision 3.\n\n          Management Comments: BBG concurred with the recommendation, stating that the\n          CIO \xe2\x80\x9cwill oversee the collection and organization of any existing security configuration\n          procedures, will assess progress to complete the development and implementation of\n          additional procedures by March 31, 2012, and will periodically access compliance with\n          these implemented procedures.\xe2\x80\x9d\n\n          OIG Analysis: OIG considers the recommendation resolved. This recommendation can\n          be closed when OIG reviews and accepts documentation showing standard operating\n          procedures for security configuration.\n\n          Recommendation 3: We recommend that the Chief Information Officer develop\n          procedures to ensure that security controls are properly managed and maintained for all\n          systems that access the Broadcasting Board of Governors network, as required by\n          National Institute of Standards and Technology Special Publication 800-53, Revision 3.\n\n          Management Comments: BBG concurred with the recommendation, stating that the\n          CIO \xe2\x80\x9cwill oversee the development of procedures to provide oversight such that security\n\n\n7   Configuration Management Policy and Procedures (CM-1).\n\n                                                      7\n                                             UNCLASSIFIED\n\x0c                                          UNCLASSIFIED\n\n\n\n        controls are properly managed and maintained for all systems that directly access the\n        BBG network by March 31, 2012.\xe2\x80\x9d\n\n        OIG Analysis: OIG considers the recommendation resolved. This recommendation can\n        be closed when OIG reviews and accepts documentation showing procedures for\n        overseeing the management and maintenance of security controls for all systems that\n        access the BBG network.\n\nC. Compliance With BBG\xe2\x80\x99s Security Awareness Training Program Was Not\n   Strictly Enforced\n        The FY 2010 Review of the Information Security Program at the Broadcasting Board of\nGovernors concluded that BBG did not sanction employees and contractors who did not\ncomplete the annual security awareness training course. Although users were informed of the\npossibility of enforcement actions for not completing the course, no such actions were\nimplemented. BBG IT management stated that compliance with the security awareness training\npolicy was not strictly enforced because of concerns about possible disruption of BBG\xe2\x80\x99s mission\nand employees\xe2\x80\x99 job responsibilities if user access was restricted. Additionally, contractor\npersonnel were not consistently required to complete BBG\xe2\x80\x99s security awareness training prior to\nor shortly after being granted access to BBG\xe2\x80\x99s network.\n\n        In regard to security awareness, NIST SP 800-53, Revision 3,8 states:\n\n        The organization ensures all users (including managers and senior executives) are\n        exposed to basic information system security awareness materials before\n        authorizing access to the system and thereafter (that is, at least annually).9\n\n        The organization employs a formal sanctions process for personnel failing to\n        comply with established information security policies and procedures.10\n\n       Without the completion of initial and annual security awareness training, personnel may\nbe unaware of new risks that may compromise the confidentiality, integrity, and availability of\ndata. As a result, personnel may be unable to recognize and respond appropriately to real and\npotential security concerns.\n        Recommendation 4: We recommend that the Chief Information Officer update the\n        security awareness training policy requiring all new personnel to attend initial and\n        refresher security awareness training and enforce consequences of noncompliance for\n        personnel who do not successfully complete the security awareness training, as required\n        by National Institute of Standards and Technology Special Publication 800-53, Revision\n        3, and the Broadcasting Board of Governors information security policies.\n\n\n\n8 Ibid. \n\n9 Security Awareness Control (AT-2). \n\n10 Personnel Sanctions Control (PS-8).\n\n\n\n                                                8\n                                          UNCLASSIFIED\n\x0c                                          UNCLASSIFIED\n\n\n\n        Management Comments: BBG concurred with the recommendation, stating that the\n        CIO \xe2\x80\x9chas initiated discussions\xe2\x80\x9d with BBG\xe2\x80\x99s Office of Human Resources \xe2\x80\x9cto require all\n        new personnel to attend initial or refresher security awareness training.\xe2\x80\x9d BBG further\n        stated that the CIO \xe2\x80\x9cwill update the security awareness training policy by December 31,\n        2011,\xe2\x80\x9d and \xe2\x80\x9cwill work with\xe2\x80\x9d the Office of Human Resources \xe2\x80\x9cto develop and implement\n        consequences for personnel who are non-compliant with the policy, while minimizing the\n        impact on Agency operations and the BBG mission.\xe2\x80\x9d\n\n        OIG Analysis: OIG considers the recommendation resolved. This recommendation can\n        be closed when OIG reviews and accepts the revised security awareness training policy\n        showing the requirements of training for new personnel and the enforcement actions to be\n        taken for noncompliant personnel.\n\nD. Plans of Action and Milestones Have Not Been Completed\n        The FY 2010 Review of the Information Security Program at the Broadcasting Board of\nGovernors concluded that BBG\xe2\x80\x99s POA&Ms have not been completed fully to track all identified\nweaknesses in BBG\xe2\x80\x99s major applications and general support systems. Further, POA&Ms did\nnot include sufficient details of security weaknesses such as planned actions, prioritization of\nweaknesses, required resources, or changes to milestones for actions that had not been completed\naccording to the plan.\n\n        Although BBG contracted with a vendor during the third quarter of FY 2010 to assist it\nwith the security authorization of its systems, including the development of POA&Ms for each\nsystem, the POA&M process has not been formalized to establish the information requirements\nor a requirement to review and update the POA&Ms periodically.\n\n        OMB Memorandum M-11-33states:11 \xe2\x80\x9cPOA&Ms must include all security weaknesses\nfound during any other review done by, for, or on behalf of the agency, including GAO audits,\nfinancial system audits, and critical infrastructure vulnerability assessments. These plans should\nbe the authoritative agency-wide management tool, inclusive of all evaluations.\xe2\x80\x9d\n\n       Without periodic updates and reviews of POA&M activities, BBG IT management may\nbe unaware of the statuses of corrective actions. As a result, delays in the implementation of\ncorrective actions may prevent security issues from being resolved in a timely manner.\nAdditionally, IT management may be unable to properly assess and prioritize the resources\nrequired to implement corrective actions.\n        Recommendation 5: We recommend that the Chief Information Officer develop a\n        policy requiring responsible managers to review and update Plans of Action and\n        Milestones and assess the timeliness of corrective actions to determine whether additional\n        resources may need to be allocated to prevent delays, as required by Office of\n        Management and Budget Memorandum M-11-33, FY 2011 Reporting Instructions for the\n\n\n11 OMB M-11-33, sec. 36, POA&M (citing previous guidance contained in OMB M-04-25, FY 2004 Reporting\nInstructions for the Federal Information Security Management Act).\n\n                                                   9\n                                          UNCLASSIFIED\n\x0c                                          UNCLASSIFIED\n\n\n\n          Federal Information Security Management Act and Agency Privacy Management,\n          September 14, 2011.\n\n          Management Comments: BBG concurred with the recommendation, stating that the\n          CIO \xe2\x80\x9cwill edit\xe2\x80\x9d the current POA&M policy by December 31, 2011, \xe2\x80\x9cto require\n          responsible managers to review and update their respective POA&Ms periodically.\xe2\x80\x9d\n          BBG further stated that the CIO or his designee will also \xe2\x80\x9creview these POA&M reports\n          periodically to determine whether or not additional resources need to be allocated.\xe2\x80\x9d\n\n          OIG Analysis: OIG considers the recommendation resolved. This recommendation can\n          be closed when OIG reviews and accepts documentation showing that POA&Ms are\n          reviewed and updated periodically and that resources have been allocated as necessary to\n          prevent delays in taking corrective actions.\n\nE. Remote Access to the BBG Network Was Not Properly Managed and\n   Controlled\n       The FY 2010 Review of the Information Security Program at the Broadcasting Board of\nGovernors concluded that BBG\xe2\x80\x99s remote access policy allowed users to access the BBG network\nfrom personal computers using software provided by BBG. However, BBG did not have\nprocedures in place to ensure that proper safeguards were implemented on non-BBG computers\nthat were authorized to access the BBG network remotely.\n\n        BBG allows its users to remotely access the BBG network using their personal\ncomputers. BBG\xe2\x80\x99s IT management stated that a process has been drafted and a software tool has\nbeen identified that will detect and scan the security settings of requesting computers but that the\nproject has not been funded.\n\n       According to NIST SP 800-53, Revision 3,12 the organization documents, monitors, and\ncontrols all methods of remote access (for example, dial-up and the Internet) to the information\nsystem, including remote access for privileged functions. Appropriate organization officials\nauthorize each remote access method for the information system and authorize only the\nnecessary users for each access method.\n\nWithout proper policies and procedures that require the use of properly secured devices, BBG\nmay be unable to ensure the security of its data and network when allowing access to authorized\nthird-party devices. As a result, the risks of introducing viruses, worms, or other malicious code\nincrease significantly.\n\n          Recommendation 6: We recommend that the Chief Information Officer implement the\n          process and software tool to assess the adequacy of the security configurations of third-\n          party devices that request access to the Broadcasting Board of Governors network and\n          grant access only to properly configured devices, as required by National Institute of\n          Standards and Technology Special Publication 800-53, Revision 3.\n\n12   Remote Access Control (AC-17).\n\n                                                  10\n                                          UNCLASSIFIED\n\x0c                                            UNCLASSIFIED\n\n\n\n\n        Management Comments: BBG concurred with the recommendation, stating that the\n        CIO \xe2\x80\x9cwill develop the process and initiate planning and testing of the software tool\n        intended to assess the adequacy of the security configurations of third-party devices that\n        request access (generally through a Virtual Private Network [VPN]) to the BBG\n        network.\xe2\x80\x9d BBG further stated that it \xe2\x80\x9cwill grant access only to those [third-party devices]\n        whose configurations are deemed sufficient, by March 31, 2012, pending allocation of\n        sufficient funds for this purpose.\xe2\x80\x9d\n\n        OIG Analysis: OIG considers the recommendation resolved. This recommendation can\n        be closed when OIG reviews and accepts documentation showing that BBG has\n        implemented a process to assess the adequacy of the security configurations of third-party\n        devices that request access to the BBG network and grant access only to properly\n        configured devices.\n\nF. User Account Management Controls Need Improvement\n       The FY 2010 Review of the Information Security Program at the Broadcasting Board of\nGovernors concluded that BBG\xe2\x80\x99s user account management controls do not ensure that access is\nprovided to authorized personnel only. Although BBG implemented new user account\nmanagement controls in FY 2011, including user verification controls that require users to obtain\nnew passwords in person after presenting photo identification, we observed the following\naccount management control deficiencies:\n\n     \xef\x82\xb7\t Guest, test, and shared user accounts that, when used, do not allow for individual \n\n        accountability. \n\n     \xef\x82\xb7\t Five of 94 employees who separated from BBG in FY 2011 between October 1, 2010,\n        and June 8, 2011, retained \xe2\x80\x9cactive\xe2\x80\x9d AD user accounts as of June 14, 2011.\n     \xef\x82\xb7\t One hundred nineteen active user accounts in AD have never been used, and 27 of the\n        119 user accounts were created before 2009.\n     \xef\x82\xb7\t Seventy-six active user accounts in AD have not been used for over 90 days, and 24 of\n        the 76 active user accounts have not been used since 2009 or before that year.\n     \xef\x82\xb7\t An individual requested and was provided a new password via a telephone call.\n\n        BBG has taken actions to remove unnecessary user accounts; however, the process has\nnot been completed and procedures have not been established to perform the review routinely.\nAdditionally, BBG\xe2\x80\x99s help desk personnel did not consistently adhere to the established user\nverification controls for the issuance of new passwords.\n\n        OMB Circular No. A-130, Revised, Appendix III,13 states:\n\n\n13OMB Circular No. A-130 Revised, Management of Federal Information Resources, app. III, \xe2\x80\x9cSecurity of Federal\nAutomated Information Resources,\xe2\x80\x9d Nov. 28, 2000.\n\n                                                     11\n                                            UNCLASSIFIED\n\x0c                                            UNCLASSIFIED\n\n\n\n          Agencies shall implement and maintain a program to assure that adequate security\n          is provided for all agency information collected, processed, transmitted, stored, or\n          disseminated in general support systems and major applications. \xe2\x80\x9cAdequate\n          security\xe2\x80\x9d means security commensurate with the risk and magnitude of the harm\n          resulting from the loss, misuse, or unauthorized access to or modification of\n          information. This includes assuring that systems and applications used by the\n          agency operate effectively and provide appropriate confidentiality, integrity, and\n          availability, through the use of cost-effective management, personnel, operational,\n          and technical controls.\n\n       Additionally, NIST SP 800-53, Revision 3,14 states that the organization manages\ninformation system accounts, including authorizing and monitoring the use of guest and\nanonymous and temporary accounts, and reviewing accounts.\n\n        Without more stringent user account management controls, unauthorized use of user\naccounts and thus, the risk of unauthorized access to systems increases significantly.\nUnauthorized access to systems may result in the submission of false transactions, improper\naccess to and dissemination of confidential data, and other malicious activities.\n\n          Recommendation 7: We recommend that the Chief Information Officer establish\n          policies and procedures to restrict the use of guest, test, and shared user accounts to\n          ensure user accountability, in accordance with National Institute of Standards and\n          Technology Special Publication 800-53, Revision 3.\n          Management Comments: BBG concurred with the recommendation, stating that the\n          CIO \xe2\x80\x9chas made significant progress in reviewing the history and rationale of guest, test,\n          and shared user accounts.\xe2\x80\x9d BBG further stated that the CIO \xe2\x80\x9cwill develop policies and\n          procedures to restrict the use of guest, test, and shared user accounts to ensure user\n          accountability for access to BBG computing resources by December 31, 2011.\xe2\x80\x9d\n\n          OIG Analysis: OIG considers the recommendation resolved. This recommendation can\n          be closed when OIG reviews and accepts BBG\xe2\x80\x99s policies and procedures that restrict the\n          use of guest, test, and shared user accounts.\n\n          Recommendation 8: We recommend that the Chief Information Officer establish\n          policies and procedures requiring system owners to notify account managers when\n          information system users are terminated or transferred or when information system usage\n          or need-to know/need-to-share changes are made, in accordance with National Institute of\n          Standards and Technology Special Publication 800-53, Revision 3.\n\n          Management Comments: BBG concurred with the recommendation, stating that the\n          CIO \xe2\x80\x9cwill develop policies and procedures requiring system owners to notify account\n          managers when user employment status or system access needs change by March 31,\n          2012.\xe2\x80\x9d\n\n\n14   Account Management Access Control 2 (AC-2).\n\n                                                   12\n                                            UNCLASSIFIED\n\x0c                                             UNCLASSIFIED\n\n\n\n        OIG Analysis: OIG considers the recommendation resolved. This recommendation can\n        be closed when OIG reviews and accepts BBG\xe2\x80\x99s policies and procedures that require\n        system owners to notify account managers when there is a change in a user\xe2\x80\x99s employment\n        status or system access needs.\n\n        Recommendation 9: We recommend that the Chief Information Officer implement\n        procedures to monitor and review compliance with the password reset procedures to\n        ensure that Help Desk personnel enforce the password reset policy, which requires the\n        requesting user to be physically present to allow Help Desk personnel to verify the user\xe2\x80\x99s\n        identity.\n\n        Management Comments: BBG concurred with the recommendation, stating that the\n        CIO \xe2\x80\x9cwill develop and implement procedures for monitoring and reviewing compliance\n        with the password reset procedures by March 31, 2012.\xe2\x80\x9d BBG further stated that the CIO\n        \xe2\x80\x9cwill review the password reset policy and consider alternative methods for\n        implementing the user identification requirements.\xe2\x80\x9d\n\n        OIG Analysis: OIG considers the recommendation resolved. This recommendation can\n        be closed when OIG reviews and accepts documentation showing that compliance with\n        the password reset procedures is monitored and reviewed.\n\nG. Vulnerability Assessments Were Not Performed\n       The FY 2010 Review of the Information Security Program at the Broadcasting Board of\nGovernors concluded that BBG did not perform routine vulnerability assessments of its major\nsystems and network environment using the framework outlined in NIST SP 800-53A.15\nAlthough BBG performed ad hoc scans of its systems and the general support system, BBG did\nnot expand the process to include the periodic re-performance of vulnerability assessments for all\nmajor systems or the routine performance of such scans on its enterprise network.\n\n       BBG IT management stated that a vulnerability assessment tool was implemented during\nFY 2011 to perform scans of its network. However, the policy and related procedures for routine\nvulnerability assessments have not been developed and implemented.\n\n       According to NIST SP 800-53A,16 the organization scans for vulnerabilities in the\ninformation system under an organization-defined frequency schedule or when significant new\nvulnerabilities potentially affecting the system are identified and reported.\n\n        Without periodic reviews or the performance of risk-based vulnerability assessments\nusing NIST SP 800-53A,17 new threats and vulnerabilities may not be identified and mitigated in\na timely manner. Such threats and vulnerabilities may limit the effectiveness of security\ncontrols, thereby resulting in the loss, damage, or theft of valuable information and/or resources.\n\n15 NIST SP 800-53A, Guide for Assessing Security Controls in Federal Information Systems, Building Effective \n\nSecurity Assessment Plans, July 2008.\n\n16 Risk Assessment Control RA-5. \n\n17 Ibid. \n\n\n\n                                                       13\n                                             UNCLASSIFIED\n\x0c                                            UNCLASSIFIED\n\n\n\n\n        Recommendation 10: We recommend that the Chief Information Officer develop and\n        implement policies and procedures to perform routine vulnerability assessments for all\n        major systems and general support systems, as required by National Institute of\n        Standards and Technology Special Publication 800-53A.\n        Management Comments: BBG concurred with the recommendation, stating that it \xe2\x80\x9chas\n        acquired a software tool and is currently installing and configuring the tool.\xe2\x80\x9d BBG\n        further stated that the CIO \xe2\x80\x9cwill develop policies and procedures to perform routine\n        vulnerability assessments with the tool for all major systems and general support systems\n        by December 31, 2011.\xe2\x80\x9d\n\n        OIG Analysis: OIG considers the recommendation resolved. This recommendation can\n        be closed when OIG reviews and accepts documentation showing that routine\n        vulnerability assessments are performed for all major systems and general support\n        systems.\n\nH. Enterprise-Wide and System-Specific Contingency Plans Do Not Exist\n        The FY 2010 Review of the Information Security Program at the Broadcasting Board of\nGovernors concluded that BBG did not develop and implement contingency planning and testing\npolicies and procedures compliant with NIST SP 800-34, Revision 1.18 Specifically, BBG did\nnot complete its enterprise-wide and system-specific contingency plans or conduct contingency\ntests.\n\n       BBG does not have formal policies and procedures for developing contingency plans.\nBBG\xe2\x80\x99s IT management stated that although a strategic plan was developed to address BBG\xe2\x80\x99s\ncontingency and business resumption needs, resources were not appropriated to develop policies\nand procedures for contingency plans because of substantial budget uncertainties at BBG during\nFY 2011.\n\n         NIST SP 800-34, Revision 1,19 states that information systems are \xe2\x80\x9cvital elements\xe2\x80\x9d in\nmost business functions and that \xe2\x80\x9cit is critical\xe2\x80\x9d that the services provided by these systems are\nable to operate effectively without excessive interruption. Further, NIST SP 800-53, Revision\n3,20 states, \xe2\x80\x9cContingency planning supports this requirement by establishing thorough plans,\nprocedures, and technical measures that can enable a system to be recovered quickly and\neffectively following a service disruption.\xe2\x80\x9d\n\n         Without an effective contingency plan, which includes periodic testing of the plan\'s\nreliability, BBG may be unable to access critical information and resources or perform mission-\n\n\n18 NIST SP 800-34, rev. 1, Contingency Planning Guide for Federal Information Systems May 2010 (last updated\n\nNovember 11, 2010).\n\n19 Ibid. \n\n20 NIST SP 800-53, rev. 3, Recommended Security Controls for Federal Information Systems and Organizations, \n\nAug 2009. \n\n\n                                                      14\n                                            UNCLASSIFIED\n\x0c                                              UNCLASSIFIED\n\n\n\ncritical business functions in the event of an extended outage and/or a disaster. As a result, BBG\nmay be unable to resume operations in an efficient and effective manner.\n\n          Recommendation 11: We recommend that the Chief Information Officer ensure that the\n          Director of Disaster Recovery and Business Continuity develop and implement\n          contingency planning policies and procedures; develop contingency plans for the\n          Broadcasting Board of Governors (BBG) infrastructure (network) and its major systems;\n          provide contingency planning training to personnel who are responsible for the recovery\n          of the network and systems; perform periodic testing of BBG\xe2\x80\x99s contingency plans; and\n          update the plan based on lessons learned, as required by National Institute of\n          Standards and Technology Special Publication 800-34, Revision 1.\n          Management Comments: BBG concurred with the recommendation, stating that\n          although its IT Directorate in the Office of Technology, Services, and Innovation does\n          have data backup, restoration plans, and deep investments in internal redundant\n          architecture, BBG \xe2\x80\x9cagrees to further develop contingency plans and increase investments\n          in offsite systems to be used for business continuity.\xe2\x80\x9d BBG further stated: \xe2\x80\x9cTo support\n          and lead this effort, the CIO is planning to add a Disaster Recovery and Business\n          Continuity Manager position by March 31, 2012, to focus specifically on this subject.\n          All positions and equipment required to meet this recommendation are subject to\n          available funding.\xe2\x80\x9d\n\n          OIG Analysis: OIG considers the recommendation resolved. This recommendation can\n          be closed when OIG reviews and accepts documentation showing the development of\n          contingency planning policies and procedures that include training requirements for\n          personnel who are responsible for the recovery of the network and systems and\n          contingency plans for the BBG infrastructure and its major systems.\n\nI. BBG\xe2\x80\x99s Incident Response Policy Does Not Adhere to United States\n   Computer Emergency Readiness Team\xe2\x80\x99s Reporting Requirements\n       BBG\xe2\x80\x99s Computer Security Incident Management Policy does not comply with the\nrequirements established by US-CERT. BBG\xe2\x80\x99s policy requires category 1 (CAT 1) incidents to\nbe reported to US-CERT within 2 hours of detection, but US-CERT stipulates that CAT 1\nincidents be reported within 1 hour of discovery/detection.\n\n        The US-CERT Federal Incident Reporting Guidelines and NIST SP 800-61, Revision 1,21\nrequire the following:\n\n           Category      Name               Description                              Reporting Timeframe\n           CAT 1         Unauthorized       In this category, an individual          Within one (1) hour of\n                         Access             gains logical or physical access         discovery/detection.\n                                            without permission to a federal\n                                            agency network, system,\n                                            application, data, or other resource.\n\n21 NIST   SP 800-61, rev.1, Computer Security Incident Handling Guide, March 2008.\n\n                                                       15\n                                              UNCLASSIFIED\n\x0c                                           UNCLASSIFIED\n\n\n        Further, BBG\xe2\x80\x99s policy does not include reporting requirements for incidents of\ncompromised PII. The US-CERT reporting timeframe for incidents that involve compromised\nPII is within 1 hour of detection regardless of the incident\xe2\x80\x99s category reporting timeframe. OMB\nMemorandum M-07-1622 states:\n\n        Agencies must report all incidents involving personally identifiable information to US-\n        CERT. This reporting requirement does not distinguish between potential and confirmed\n        breaches. The US-CERT concept of operations for reporting Category 1 incidents is\n        modified as follows:\n\n            Category 1: Unauthorized Access or Any Incident Involving Personally\n            Identifiable Information. In this category agencies must report when: 1) an\n            individual gains logical or physical access without permission to a federal\n            agency network, system, application, data, or other resource; or 2) there is a\n            suspected or confirmed breach of personally identifiable information\n            regardless of the manner in which it might have occurred. Reporting to US-\n            CERT is required within one hour of discovery/detection.\n\n       Lastly, BBG\xe2\x80\x99s Computer Security Incident Management Policy23 states that incidents will\nbe escalated to external entities (for example, US-CERT and law enforcement) only during\nnormal business hours.24\n\n        BBG\xe2\x80\x99s IT management stated that some US-CERT requirements were mistakenly\nexcluded during the development of its new incident response policy. IT management further\nstated that the reporting timelines were extended because of BBG\xe2\x80\x99s resource limitations.\n\n        Without an effective incident response capability, BBG may not be able respond to\nsecurity incidents in a timely manner and restore computing services.\n\n        Recommendation 12: We recommend that the Chief Information Officer develop and\n        implement a complete and comprehensive process that meets United States-Computer\n        Emergency Readiness Team\xe2\x80\x99s (US-CERT) requirements for identifying, reporting, and\n        resolving computer security incidents in a timely manner, as required by National\n        Institute of Standards and Technology Special Publication 800-61, Revision 1, and Office\n        of Management and Budget Memorandum M-07-16. Also, BBG\xe2\x80\x99s Computer Security\n        Incident Management Policy should be revised to include clear and comprehensive\n        guidance for the identification, prioritization, and notification of security incidents, both\n        internally and to US-CERT. The security incident identification and notification\n        procedures should also specifically address the procedures for responding to security\n        incidents involving the breach of personally identifiable information whether the breach\n        occurred in electronic or paper format.\n\n22 OMB Memorandum M-07-16, Safeguarding Against and Responding to the Breach of Personally Identifiable \n\nInformation, May 22, 2007. \n\n23 Computer Security Incident Management Policy May 16, 2011 \n\n24Ibid.\n\n\n\n                                                    16\n                                           UNCLASSIFIED\n\x0c                              UNCLASSIFIED\n\n\n\nManagement Comments: BBG concurred with the recommendation, stating that it\n\xe2\x80\x9cwill modify the policy\xe2\x80\x9d by December 31, 2011.\n\nOIG Analysis: OIG considers the recommendation resolved. This recommendation can\nbe closed when OIG reviews and accepts the revised incident response policy showing a\ncomplete and comprehensive process that meets US-CERT\xe2\x80\x99s requirements for\nidentifying, reporting, and resolving computer security incidents.\n\n\n\n\n                                      17\n                              UNCLASSIFIED\n\x0c                                        UNCLASSIFIED\n\n\n\n                        List of Current Year Recommendations \n\nRecommendation 1: We recommend that the Chief Information Officer ensure that the selected\nsystem inventory management software tool is acquired and implemented and a process is\ndeveloped to update, not less than annually, the Broadcasting Board of Governors (BBG) system\ninventory when changes are made to those information systems operated by or under the control\nof BBG or by third-party contractors or agencies on behalf of BBG, as required by National\nInstitute of Standards and Technology Special Publication 800-53, Revision 3.\n\nRecommendation 2: We recommend that the Chief Information Officer complete the\ndevelopment and implementation of security configuration procedures and periodically assess\ncompliance with the implemented procedures, as required by the National Institute of Standards\nand Technology Special Publication 800-53, Revision 3.\n\nRecommendation 3: We recommend that the Chief Information Officer develop procedures to\nensure that security controls are properly managed and maintained for all systems that access the\nBroadcasting Board of Governors network, as required by National Institute of Standards and\nTechnology Special Publication 800-53, Revision 3.\n\nRecommendation 4: We recommend that the Chief Information Officer update the security\nawareness training policy requiring all new personnel to attend initial and refresher security\nawareness training and enforce consequences of noncompliance for personnel who do not\nsuccessfully complete the security awareness training, as required by the National Institute of\nStandards and Technology Special Publication 800-53, Revision 3, and the Broadcasting Board\nof Governors information security policies.\n\nRecommendation 5: We recommend the Chief Information Officer develop a policy requiring\nresponsible managers to review and update Plans of Action and Milestones and assess the\ntimeliness of corrective actions to determine whether additional resources may need to be\nallocated to prevent delays, as required by Office of Management and Budget Memorandum M-\n11-33, FY 2011 Reporting Instructions for the Federal Information Security Management Act\nand Agency Privacy Management, September 14, 2011.\n\nRecommendation 6: We recommend that the Chief Information Officer implement the process\nand software tool to assess the adequacy of the security configurations of third-party devices that\nrequest access to the Broadcasting Board of Governors network and grant access only to properly\nconfigured devices, as required by National Institute of Standards and Technology Special\nPublication 800-53, Revision 3.\n\nRecommendation 7: We recommend that the Chief Information Officer establish policies and\nprocedures to restrict the use of guest, test, and shared user accounts to ensure user\naccountability in accordance with National Institute of Standards and Technology Special\nPublication 800-53, Revision 3.\n\nRecommendation 8: We recommend that the Chief Information Officer establish policies and\nprocedures requiring system owners to notify account managers when information system users\n\n                                                18\n                                        UNCLASSIFIED\n\x0c                                       UNCLASSIFIED\n\n\n\nare terminated or transferred or when information system usage or need-to know/need-to-share\nchanges are made, in accordance with the National Institute of Standards and Technology\nSpecial Publication 800-53, Revision 3.\n\nRecommendation 9: We recommend that the Chief Information Officer implement procedures\nto monitor and review compliance with the password reset procedures to ensure that Help Desk\npersonnel enforce the password reset policy, which requires the requesting user to be physically\npresent to allow Help Desk personnel to verify the user\xe2\x80\x99s identity.\n\nRecommendation 10: We recommend that the Chief Information Officer develop and\nimplement policies and procedures to perform routine vulnerability assessments for all major\nsystems and general support systems, as required by National Institute of Standards and\nTechnology Special Publication 800-53A.\n\nRecommendation 11: We recommend that the Chief Information Officer ensure that the\nDirector of Disaster Recovery and Business Continuity develop and implement contingency\nplanning policies and procedures; develop contingency plans for the Broadcasting Board of\nGovernors (BBG) infrastructure (network) and its major systems; provide contingency planning\ntraining to personnel who are responsible for the recovery of the network and systems; perform\nperiodic testing of BBG\xe2\x80\x99s contingency plans; and update the plan based on lessons learned, as\nrequired by National Institute of Standards and Technology Special Publication 800-34, Revision\n1.\nRecommendation 12: We recommend that the Chief Information Officer develop and\nimplement a complete and comprehensive process that meets United States-Computer\nEmergency Readiness Team\xe2\x80\x99s (US-CERT) requirements for identifying, reporting, and resolving\ncomputer security incidents in a timely manner, as required by National Institute of Standards\nand Technology Special Publication 800-61, Revision 1, and Office of Management and Budget\nMemorandum M-07-16. Also, BBG\xe2\x80\x99s Computer Security Incident Management Policy should\nbe revised to include clear and comprehensive guidance for the identification, prioritization, and\nnotification of security incidents, both internally and to US-CERT. The security incident\nidentification and notification procedures should also specifically address the procedures for\nresponding to security incidents involving the breach of personally identifiable information\nwhether the breach occurred in electronic or paper format.\n\n\n\n\n                                                19\n                                       UNCLASSIFIED\n\x0c                                       UNCLASSIFIED\n\n\n\n                 Appendix A. Objectives, Scope, and Methodology\n       In order to fulfill its responsibilities related to the Federal Information Security\nManagement Act (FISMA), the Office of Inspector General (OIG) contracted with Williams,\nAdley & Company, LLP (referred to as \xe2\x80\x9cwe\xe2\x80\x9d in this appendix), an independent public\naccountant, to evaluate the Broadcasting Board of Governors (BBG) information security\nprogram and practices to determine the effectiveness of such programs and practices for FY\n2011.\n\n        FISMA requires each Federal agency to develop, document, and implement an agency-\nwide program to provide information security for the information systems that support the\noperations and assets of the agency, including those provided or managed by another agency or\ncontractor or another source. To ensure the adequacy and effectiveness of these controls,\nFISMA requires the agency inspector general or an independent external auditor to perform\nannual reviews of the information security program and to report those results to the Office of\nManagement and Budget (OMB) and the Department of Homeland Security (DHS). DHS uses\nthis data to assist in oversight responsibilities and to prepare its annual report to Congress\nregarding agency compliance with FISMA.\n\n        We conducted the evaluation from April through September 2011. In addition, we\nperformed the review in accordance with Generally Accepted Government Auditing Standards\n(GAGAS), FISMA, OMB, and National Institute of Standards and Technology Special\nPublication (NIST SP) guidance. GAGAS requires that we plan and perform the audit to obtain\nsufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions\nbased on our audit objectives. We and OIG believe that the evidence obtained provides a\nreasonable basis for our findings and conclusions based on our audit objectives.\n\n        We performed fieldwork from April through July 31, 2011. Our fieldwork was\ncompleted before OMB Memorandum M-11-33, dated September 14, 2011, was issued. This\nmemorandum provided instructions for FY 2011 reporting requirements. We reviewed the\nmemorandum and determined that no additional testing was required to fulfill the FISMA\nreporting requirements.\n\n       We used the following laws, regulations, and policies, to evaluate the adequacy of the\ncontrols in place at BBG:\n\n\n\n\n                                               20\n                                       UNCLASSIFIED\n\x0c                                            UNCLASSIFIED\n\n\n                                                                                    1\n        \xef\x82\xb7   OMB Memoranda M-02-01, M-07-16, M-08-21, and M-11-33.\n        \xef\x82\xb7   BBG policies and procedures such as the BBG Computer Security Incident\n            Management Policy.\n        \xef\x82\xb7   Federal laws, regulations, and standards such as FISMA and those contained in OMB\n                                          2                            3\n            Circular No. A-130, Revised, and OMB Circular No. A-11.\n        \xef\x82\xb7   NIST SPs, Federal Information Systems Processing Publications (FIPS), other\n            applicable NIST publications, and industry best practices.\n\n       In our evaluation, we assessed BBG\xe2\x80\x99s information security program policies, procedures,\nand processes in the following areas:\n\n        \xef\x82\xb7   Risk management framework (formerly Certification & Accreditation)\n\n        \xef\x82\xb7   Security configuration management \n\n        \xef\x82\xb7   Incident response and reporting \n\n        \xef\x82\xb7   Security training \n\n        \xef\x82\xb7   Plans of action and milestones \n\n        \xef\x82\xb7   Remote access\n\n        \xef\x82\xb7   Account and identity management \n\n        \xef\x82\xb7   Continuous monitoring \n\n        \xef\x82\xb7   Contingency planning \n\n        \xef\x82\xb7   Oversight of contractor systems\n\n        \xef\x82\xb7   Security architecture and capital planning \n\n\n       The evaluation covered the period October 1, 2010, to September 30, 2011. During the\nfieldwork, we took the following actions:\n\n    \xef\x82\xb7\t Determined the extent to which BBG\xe2\x80\x99s information security plans, programs, and\n       practices complied with FISMA requirements; applicable Federal laws, regulations,\n       and standards; relevant OMB Circular No. A-130, revised, processes and reporting\n       requirements included in Appendix III; and NIST and FIPS requirements.\n\n    \xef\x82\xb7\t Reviewed relevant security programs and practices to report on the effectiveness of\n       BBG\xe2\x80\x99s agency-wide information security program in accordance with OMB\xe2\x80\x99s annual\n       FISMA reporting instructions. The evaluation approach addressed OMB Memorandum\n       M-11-33, FY 2011 Reporting Instructions for the Federal Information Security\n       Management Act and Agency Privacy Management, dated September 14, 2011.\n\n\n1 OMB Memoranda M-02-01, Guidance for Preparing and Submitting Security Plans of Action and Milestones, \n\nOct. 17, 2001; M-07-16, Safeguarding Against and Responding to the Breach of Personally Identifiable \n\nInformation, May 22, 2007; M-08-21, FY 2008 Reporting Instructions for the Federal Information Security \n\nManagement Act and Agency Privacy Management, July 14, 2008; and M-11-33, FY 2011 Reporting Instructions \n\nfor the Federal Information Security Management Act and Agency Privacy Management, Sept.14, 2011.\n\n2 OMB Circular No. A-130 Revised, Management of Federal Information Resources, app.III, \xe2\x80\x9cSecurity of Federal\n\nAutomated Information Resources,\xe2\x80\x9d Nov. 30, 2000.\n\n3 OMB Circular No. A-11, Preparation, Submission, and Execution of the Budget, Aug. 2011. \n\n\n\n                                                      21\n                                            UNCLASSIFIED\n\x0c                                   UNCLASSIFIED\n\n\n\n\xef\x82\xb7\t Assessed programs for monitoring of security policy and program compliance and\n   responding to security events (that is, unauthorized changes detected by intrusion\n   detection systems).\n\n\xef\x82\xb7\t Performed testing of major systems at the discretion of OIG.\n\n\xef\x82\xb7\t Assessed the adequacy of internal controls related to the areas reviewed. Control\n   deficiencies identified during the review are included in this report.\n\n\xef\x82\xb7\t Evaluated BBG\xe2\x80\x99s remedial actions taken to address the previously reported Information\n   Security Program control weaknesses identified in OIG\xe2\x80\x99s Review of the Information\n   Security Program at the Broadcasting Board of Governors (AUD/IT/IB-11-08,\n   November 2010).\n\n\n\n\n                                           22\n                                   UNCLASSIFIED\n\x0c                                        UNCLASSIFIED\n\n\n\n                 Appendix B. Followup of Recommendations From\n                           the FY 2010 FISMA Report\n       The evaluation team reviewed actions implemented by management to mitigate the\nfindings identified in the FY 2010 FISMA report. The current status of each of the\nrecommendations follows:\n\nRecommendation 1: We recommend that the Chief Information Officer ensure that the\nInformation Technology Director develop and implement a process to update, not less than\nannually, the Broadcasting Board of Governors (BBG) system inventory when changes occur or\nare made to those information systems operated by or under the control of BBG or by those\nthird-party contractors or agencies on behalf of BBG.\n\n2011 Status \xe2\x80\x93 Open; this repeat recommendation has become Recommendation 1 (Finding A) in\nthe FY 2011 report.\n\nRecommendation 2: We recommend that the Chief Information Officer continue efforts to\ncomplete the certification and accreditation of the Broadcasting Board of Governors major\nsystems to include the development and maintenance of documentation used in the certification\nprocess and the security accreditation decision, inclusive of the Federal Information Processing\nStandards Publication 199 system categorization, risk assessment, system security plan, plan of\naction and milestones, and contingency plan.\n\n2011 Status \xe2\x80\x93 Closed.\n\nRecommendation 3: We recommend that the Chief Information Officer ensure that the\nappropriate information technology personnel are assigned to develop and implement standard\noperating procedures for security configuration and performance measurement and ensure that\nmanagement of the Broadcasting Board of Governors periodically assess compliance with the\nimplemented procedures.\n\n2011 Status \xe2\x80\x93 Closed.\n\nRecommendation 4: We recommend that the Chief Information Officer develop standard\noperating procedures, including the performance of periodic security assessments and continuous\nmonitoring for security threats, for the oversight of all systems and hardware that are connected\nto the Broadcasting Board of Governors network.\n\n2011 Status \xe2\x80\x93 Open; this repeat recommendation has become Recommendation 2 (Finding B) in\nthe FY 2011 report.\n\nRecommendation 5: We recommend that the Chief Information Officer update the security\nawareness training policy requiring all new employees and contractors to attend initial security\nawareness training, require all employees and contractors to receive refresher training annually,\n\n\n\n                                                23\n                                        UNCLASSIFIED\n\x0c                                        UNCLASSIFIED\n\n\n\ndevelop disciplinary actions for those who do not take annual refresher training, and develop\ntraining for personnel who have significant security responsibilities.\n\n2011 Status \xe2\x80\x93 Open; this repeat recommendation has become Recommendation 4 (Finding C) in\nthe FY 2011 report.\n\nRecommendation 6: We recommend the Chief Information Officer develop a policy requiring\nresponsible managers to review and update Plans of Action and Milestones (POA&M) at a\nminimum, on a quarterly basis; review the quarterly POA&M reports; and assess the timeliness\nof corrective actions to allocate resources needed to prevent delays.\n\n2011 Status \xe2\x80\x93 Open; this repeat recommendation has become Recommendation 5 (Finding D) in\nthe FY 2011 report.\n\nRecommendation 7: We recommend that the Chief Information Officer implement security\nmechanisms that assess the adequacy of the security configurations of third-party devices that\nrequest access to the Broadcasting Board of Governors (BBG) network prior to granting the\nrequested access. Improperly configured devices should not be allowed to access the BBG\nnetwork.\n\n2011 Status \xe2\x80\x93 Open; this repeat recommendation has become Recommendation 6 (Finding E) in\nthe FY 2011 report.\n\nRecommendation 8: We recommend that the Chief Information Officer limit remote access\nprivileges to employees who have been properly authorized by user management in accordance\nwith the Broadcasting Board of Governors remote access policies and procedures.\n\n2011 Status \xe2\x80\x93 Closed.\n\nRecommendation 9: We recommend that the Chief Information Officer implement password\nmanagement policy and procedures that require system users to select, at a minimum, three of\nthe following four categories when establishing a system\xe2\x80\x99s passwords: English uppercase\ncharacters (A through Z); English lowercase characters (a through z); base 10 digits (0 through\n9); or non-alphabetic characters, such as !, $, #, or %.\n\n2011 Status \xe2\x80\x93 Closed.\n\nRecommendation 10: We recommend that the Chief Information Officer develop procedures\nthat require individual users to establish password reset information that only the individual users\ncan verify when they request password reset by telephone.\n\n2011 Status \xe2\x80\x93 Closed.\n\nRecommendation 11: We recommend that the Chief Information Officer restrict the use of\nguest, test, and shared user accounts to ensure user accountability.\n\n2011 Status \xe2\x80\x93 Open; this repeat recommendation has become Recommendation 7 (Finding F) in\nthe FY 2011 report.\n\n                                                24\n                                        UNCLASSIFIED\n\x0c                                        UNCLASSIFIED\n\n\n\nRecommendation 12: We recommend that the Chief Information Officer allocate existing\nresources or acquire additional resources, if needed, to develop and implement policies and\nprocedures for the routine performance of security assessments for all major systems and general\nsupport systems. The results of such security assessments should be reviewed, and Plans of\nAction and Milestones should be developed for the improvement of the security controls of\nmajor systems and general support systems.\n\n2011 Status \xe2\x80\x93 Open; this repeat recommendation has become Recommendation 10 (Finding G)\nin the FY 2011 report.\n\nRecommendation 13: We recommend that the Chief Information Officer record all security\nincidents in the ticketing systems for centralized reporting, analysis, monitoring, and resolution.\n\n2011 Status \xe2\x80\x93 Closed.\n\nRecommendation 14: We recommend that the Chief Information Officer ensure that the\nDirector of Disaster Recovery and Business Continuity develop and implement contingency\nplanning policies and procedures; develop contingency plans for the Broadcasting Board of\nGovernors (BBG) infrastructure (network) and its major systems; provide contingency planning\ntraining to personnel; perform periodic testing of BBG\xe2\x80\x99s contingency plans; and make updates to\nthe plan based on lessons learned.\n\n2011 Status \xe2\x80\x93 Open; this repeat recommendation has become Recommendation 11 (Finding H)\nin the FY 2011 report.\n\n\n\n\n                                                 25\n                                        UNCLASSIFIED\n\x0c                                          UNCLASSIFIED\n\n\n\n       Appendix C. Broadcasting Board of Governors Response\n\n\n\n\nIN\'I1::RNATIONAL BROADCAS11NG BUREAU\n\n\n\n\n                                                 November 2, 20 11\n\n\n\n\n     Mr. Harold W. Geisel\n     Deputy Inspector General\n     Office of lnspec lor General\n     U.S. Department of State\n\n     Dear Mr. Geisel:\n\n     This is in response to the e-mail from Ms. Amy Conigliaro, dated October 27, 201 1, regarding\n     the Office of Inspector General\'s (DIG) Draft Report titled, "Evaluation o f the Broadcasting\n     Board ofGovemors Information Security Program," Repon Number AUOflT. XX-XX-XXX,\n     dated October 2011.\n\n     The Broadcasting Board ofGovemors is grateful for the opportun ity to review the OIG\'s draft\n     report . Our IT staff made a concerted effort to eOOJ)C:rnte with the team and provide an open\n     forum of discussion and a willi ngness to comply wi th the team\'s requests for documentation.\n     We appreciate the team\'s recognition of this effort during the FISMA review process and believe\n     the report will be helpful 10 us in strengthening BBG\'s information security program. Our\n     detai led comments on the draft. report recommendations are annotated on the enclosure.\n\n\n    (b) (6)\n\n\n\n\n     Enclosure: As staled\n\n\n\n\n                                                                                                       \xc2\xa0\n\n\n                                                     26\n\n                                          UNCLASSIFIED\n\x0c                                    UNCLASSIFIED\n\n\n\n\n\n                                                                                         Enclos ure\n\n                 B r oadu.diDg Board of Gove rnors (BBG) R esponse to\n       Ihe Offlu   0\'\n                    1000 pecior G enera l\'s (OIG) O n-ICe of Audi t! Drafl R epo n tilled,\n   "EVIlaIMIl ofth e Broad castin g Board of Governors Infonnalion S\xc2\xaburi ty P rogram ,"\n               Repo rt Number AUDIlT-XX-XX-XXX. d ated October 2011\n\n\nR uommenda tion I : We recommend that the Chief Information Officer ensure that the selected\nsystem inventory management software tool is acquired and implemented and a process is\ndeveloped to update, not less than annuall y, the Broadcasting Board of Governors\' (BBG)\nsystem inventory when changes are made to those infonnation systems operated by or under the\ncontrol ofBBG or by third-party contractors or agencies on behalf of BBG as required by the\nNational Institute of Standards and Teclmology Special Publication 800-53, Revision 3.\n\nResponse: The BBG concurs. The BBG has acquired the inventory managemen t software tool\nand is currently installing and configuring the tool. The CIO will oversee testing of Ihis tool and\nthe development o f a process to update BBG\'s system inventory periodically.\n\nRerommendatlOD 2: We recommend that the Chief Information Officer complete the\ndevelopment and implementation of security configuration procedures and periodically assess\ncompliance with the implemented procedures as required by th e National Institute of Standards\nand Technology Special Publication 800-53, Revision 3.\n\nRes ponse: The BBG concurs. The C IO will oversee the collection and organization of any\nexisting security configuration procedures, will assess progress to complete the development and\nimplementation of addit ional procedures by March 31. 2012 and wi ll periodically access\ncompliance with these implemented procedures.\n\nReco mmendation 3: We recommend that the Chieflnfonnation Officer develop procedures to\nensure that security controls arc properly managed and maintained for all systems that access the\nBroadcasting Board of Governors\' network as requiud by National Institute of Standards and\nTechnology Special Pub licati on 800-53, Revision 3.\n\nR es ponse: TIle BBG concurs. The CIO will oversee the development of procedures to provide\noversight such that security controls are properly managed and maintained for a ll systems that\ndirectly access the BBG network by March 31, 20 12.\n\nRecommendalion 4: We recommend that the Chief Infonnation Officer update the se<:urity\nawareness training policy requiring all new personnel to attend initial and refresher security\nawareness training and enforce consequenus of non<ompiiance for personnel who do not\nsuccessfull y complete the security awareness training, as required by the National Institule of\nStandards and Technology Special Publication 800-53, Revision 3 and the Broadcasting Board\nof Governor\'s information security policies.\n\n\n\n\n                                               27\n\n                                    UNCLASSIFIED\n\n\x0c                                    UNCLASSIFIED\n\n\n\n\n\nResponse: The BBO concurs. The:      cia  has initiated discussions with the BBO\'s Office of\nHuman Resources (HR) to require all new personnel to attend initial or refresher security\nawareness lnIini ng. In addition, the CIa will update the security awareness training policy by\nDecember 3 1, 20 11. The C IO also will work with HR to develop and implement consequences\nfor pef10nnel who are non-compliant wit h the policy, whi le minimizi ng the impact on Agency\noperations and the BBG mission.\n\nRecom mend ation 5: We recommend the Chief Information Officer develop a policy requiring\nresponsible managers to review and update Plans of Action and Milestones (POA&M) and\nassess the timeliness of corrective actions to determine whether additional resources may need to\nbe allocated to prevent delays as required by the Office of Management and Budget\nMemorandum M-I I -33, FY 2011 Reporting Instructions/or the Federal In/ormation Security\nManagement Act and Agency Privacy Management, September 14,2011.\n\nRespo nse: The BBG concurs. The CIO wi ll edit the current POA&M policy by December 3 1,\n20 II , to requ ire responsible managers to review and update their respective POA&Ms\nperiodically. The CIO or his designee also will review these POA&M reports periodically to\ndetermine whether or not additional resources need to be allocated.\n\nReco mmenda tion 6: We recommend that the Chief Information Officer im plement the process\nand software tool to assess the adequacy of the security configUliltions of third-party devices that\nrequest access to the Broadcasting Board of Governors\' network and grant access only to\nproperl y configured devices as req uired by the National Institute of Standards and Technology\nSpecial Publication 800-53, Revision 3.\n\nRHpon~e: The BBG concurs. The CIO will develop the process and initiate planning and\ntesting of the software tool intended to assess the adequacy of the securi ty configurations of\nthird-party devices thai request access (generally through a Virtual Private Network (VPNJ) 10\nthe BSG network and will grant aCCeSS only to those whose configu rations are deemed\nsufficient, by March 31, 2012, pending allocation of sufficient funds for th is purpose.\n\nRecommendation 7: We recommend that the Chieflnformation Officer establ ish policies and\nprocedures to restriclthe use of guest, test, and shared user accounts to ensure user\naccountability in accordance with the National Institute of Standards and Technology Special\nPublication 800-53, Revision 3.\n\nRes ponse: The BBG concurs. The C IO has made signifK:ant progress in reviewing the history\nand rationale of guest, test, and shared user accounts. 11le CIO wi ll develop policies and\nprocedures to restrict the use of guest, test. and shared user accou nts to ensure user\naccountability for access to BBG computing resources by December 31, 201 1.\n\nRecommendation 8: We recommend thaI the Chief Information Officer establish policies and\nprocedures requiring system owners to notify account managers when information system users\nare terminated, transferred, or information system usage or need-to-know/need\xc2\xb7to-share changes,\nin accordance with the National Institute of Standards and Technology Special Publication\n800\xc2\xb753, Revision 3.\n\n\n                                                                                                   2\n\n\n\n\n                                                28\n\n                                    UNCLASSIFIED\n\n\x0c                                   UNCLASSIFIED\n\n\n\n\n\nResponse: The BBG concurs. The cia will develop policies and procedures requiring system\nowners to notify account managers when user employment status or system access needs change\nby March 31, 2012.\n\nRecommendation 9: We recommend that the Chief Information Officer implement procedures\nto monitor and review compliance with the password reset procedures to ensure that Help Desk\npersonnel enforce the password reset policy, which requires the requesting user to be physically\npresent to allow Help Desk personnel to verify the user\'s identity.\n\nResponse: The BBG concurs. The CIO will develop and implement procedures for monitoring\nand reviewing compliance with the password reset procedures by March 31, 2012. The CIO also\nwill review the password reset policy and consider alternative methods for implementing the user\nidentification requirements.\n\nRecommendation 10: We recommend that the ChiefInformation Officer develop and\nimplement policies and procedures to perform routine vulnerability assessme nts for all major\nsystems and general support systems as required by the National Institute of Standards and\nTechnology Special Publication 800-53A.\n\nResponse: The BBG concurs. The BBG has acquired a software 1001 and is currently installing\nand configuring the tool. The CIO will develop policies and procedures to perform routine\nvulnerability assessments with the tool for all major systems and geneml support systems by\nDecember 31, 2011.\n\nRecommendation 11: We recommend that the ChiefInformation Officer ensure that the\nDirector of Disaster Recovery and Business Continuity develop and implement contingency\nplanning policies and procedures, develop contingency plans for the Broadcasting Board of\nGovernors\' (BBG) infrastructure (network) and its major systems, provide contingency planning\ntraining to personnel who are responsible for the recovery of the network and systems, perform\nperiodic testing ofBBG\'s contingency plans, and update the plan based on lessons learned as\nrequired by the National Institute of Standards and Technology Special Publication 800-34,\nRevision I.\n\nResponse: The BBG concurs. Although the BBO\'s IT Directorate in the Office of Technology,\nServices, and Innovation (TSI) does have data backup, restoration plans, and deep investments in\ninternal redu ndant archi tecture, the BBO agrees to further develop contingency plans and\nincrease investments in offsite systems to be used for business conti nuity. To support and lead\nthis effort, the CIa is planning to add a Disaster Recovery and Business Continuity Manager\nposition by March 31, 20 12, to focus specifically on this subject. All positions and equipment\nrequired to meet this recommendation are subject to available funding.\n\nRecommendation 12: We recommend that the Chief Information Officer develop and\nimplement a complete and comprehensive process that meets the US-CERT\'s requirements for\nidentifying, reporting, and resolving computer security incidents in a timely manner as required\nby the National Institute of Standards and Technology Special Publication 800-61, Revision I\nand Office of Management and Budget Memorandum M-07-16. BBG\'s Computer Security\n\n\n                                                                                                   J\n\n\n\n\n                                              29\n\n                                   UNCLASSIFIED\n\n\x0c                                     UNCLASSIFIED\n\n\n\n\n\nIncident Management Policy should be revised to include clear and comprehensive guidance for\nthe identification, prioritization, and notification of security incidents, both internally and to the\nUS-CERro The security incident identificat ion and notification procedures should also\nspecifically address the procedures for responding to security incidents involving the breach of\npersonal1y identifiable infonnation whether in electronic or paper fonnat.\n\nResponse: The BBG concurs. The BBG will modify the policy, as requested, by December 31 ,\n2011.\n\n\n\n\n                                                                                                         4\n\n\n\n\n                                                30\n\n                                     UNCLASSIFIED\n\n\x0c                  UNCLASSIFIED\n\n\n\n\n\nFRAUD, WASTE, ABUSE, OR MISMANAGEMENT\n                 of Federal programs \n\n            and resources hurts everyone. \n\n\n\n\n         Call the Office of Inspector General \n\n                      HOTLINE \n\n                     202/647-3320 \n\n                  or 1-800-409-9926 \n\n        to report illegal or wasteful activities. \n\n\n\n               You may also write to \n\n             Office of Inspector General \n\n              U.S. Department of State \n\n               Post Office Box 9778 \n\n                Arlington, VA 22219 \n\n\n       Please visit our Web site at oig.state.gov \n\n\n           Cables to the Inspector General \n\n          should be slugged \xe2\x80\x9cOIG Channel\xe2\x80\x9d \n\n              to ensure confidentiality. \n\n\n\n\n\n                  UNCLASSIFIED\n\n\x0cUNCLASSIFIED\n\n\n\n\n\nUNCLASSIFIED\n\n\x0c'